F/G  9/2 


MECHANISM  SUFFICIENCY  VALIDATION  BY  ASSISNMENT. (U) 

MAY  81  L  J  SHIRLEY*  R  R  SCHELL 
UNCLASSIFIED  NPS52-81-001*  NL 


1  May  1381 


NAVAL  POSTGRADUATE  SCHOOL 
Monterey ,  California 


Rear  Admiral  J.  J.  Ekelund 
Superintendent 


Jack  R.  Borsting 
Provost 


The  work  reported  herein  was  supported  in  part  by  the 
Foundation  Research  Program  of  the  Naval  Postgraduate  School 
with  funds  provided  by  the  Chief  of  Naval  Research. 

Reproduction  of  all  or  part  of  this  report  is  authorized. 

This  report  was  prepared  by: 


LAWRENCE  SHIRLEY 


Reviewed  by: 


G.  Hr  BRADLEY 


Ro gfr  R.  Schell,  COL,  USAF 
Associate  Professor  of 
Computer  Science 


Released  by : 


Unclassified _ 

SECURITY  CLASS!  FI  CATION  OF  THIS  PAGE  fWhfi  Of  gnwtdj _ 

REPORT  DOCUMENTATION  PAGE  I  BefoIeDcom?le^NfoRm 

T,  REPORT  NUMBER  _  U.  GOVT  ACCESSION  NO.  3.  RECIPIENT'S  CATALOG  NUMBER 


r  REPORT  NUMBER 

NPS52-81»Q04>t 

4.  TITLE  (and  Subtitle) 


tPrAJPel*/? 


5.  TYRE  OF  REPORT  &  PCRIOO  COVEREO 


MECHANISM  SUFFICIENCY  VALIDATION  BY  ASSIGNMENT  Technical  Report 


|7.  AuTnoRr*; 


Lawrence  J.  Shirley  and  Roger  R.  Schell 


<■  "ERFORMINO  oma.  REPORT  number 


I.  CONTRACT  OB  GRANT  NUMIENraj 


9.  PERFORMING  ORGANIZATION  NAME  ANO  AOORES5 

Naval  Postgraduate  School 
Monterey,  CA  93940 


10.  PROGRAM  ELEMENT.  PROJECT,  TASK 
AREA  A  WORK  UNIT  NUMBERS 

N0002381R015374 


In.  CONTROLLING  OFFICE  NAME  AND  ADDRESS 


12.  REPORT  OATE 


Naval  Supply  Systems  Command  May  1981 _ 

Washington  D.C.  20376  u.  number  of  pages 

U.  MONITORING  AGENCY  NAME  A  ADDRESS/’//  dUfarmU  from  Controlling  Ofttca)  IS.  SECURITY  CLASS,  (of  thla  reperl) 


Chief  of  Naval  Research,  Arlington,  VA  22217 


Unclassified 


15«.  OECLASSIFICATION/ DOWNGRADING 
SCHEDULE 


I  IS.  DISTRIBUTION  STATEMENT  (of  thie  Report) 


Approved  for  public  release;  distribution  unlimited. 


17.  DISTRIBUTION  STATEMENT  (of  the  abetrmct  on t tod  In  Bloc*  20,  It  dlfftent  from  Rmport) 


is.  supplementary  notes 


Presented  at  the  IEEE  Symposium  on  Security  and  Privacy,  April  27-29,  1981 


19.  KEY  WOROS  (Conttrntm  on  rovoroo  *i 

Computer  Security 
Protection  Mechanisms 
Security  Kernel 
Operating  Systems 


eery  and  Identify  by  block  number) 


Protection  Domains 
Relational  Model 


1 20.  ABBtJtACT  {Continue  on  reetee  at  da  If  neceeeary  and  identity  by  block  mmber) 


This  paper  introduces  a  mathematical  framework  for  evaluating  the 
relationship  Detween  policies  and  mechanisms.  An  evaluation  approach  called 
the  assignment  technique  is  defined.  This  technique  consists  of  establishing 
an  assignment  between  the  security  classes  of  information  established  by 
policy  constraints,  and  the  protection  domains,  established  by  the  properties 
of  the  mechanism.  The  assignment  technique  provides  a  theoretical  foundation 
for  assessing  the  sufficiency  of  an  access  control  mechanism  with  respect  to.; 


DO  1473 


EDITION  OF  1  NOV  88  IS  OBSOLETE 

S/N  0102-014-8801  !  1 


_ Unclassified _ _ 

SECURITY  CLASSIFICATION  OF  THIS  P AGE  Data  Rnterod) 


a  well  formed  protection  policy.  Although  this  paper  presents  preliminary 
results  of  research,  the  proposed  framework  suggests  a  promising  new 
approach  for  evaluating  the  protection  mechanisms  of  existing  and  proposed 
systems. 

n\ 

‘  \ 


Unclassified 


2 


SECURITY  CLASSIFICATION  of  this  FAQEOWi*n  Dmtm  Snffd) 


'  1  I  i  v.l  wi 


^a'Airence  u*  Jnirxey ,  a*  t  •  j j  and  *  v  o  e  r  a*  ^cii w  11  ^  c  o  x  •  c  o  rv  £ 


department  of  computer  Jcience 


^avai  Postgraduate  Jcnocl 


Monterey  ,  California 


L.  •  n  r;  '.  i  *  O 

rtiic  x itrtb  x 


Inis  pa^er  introduces  a  matuemat ical  frameworx  for  evaluating 
tne  relationsnip  between  policies  ana  mecnanisms .  An  evaluation 
aprroacn  cuilea  tne  assignment  tecnnique  is  defined.  inis  tech¬ 
nique  consists  of  estuuiisning  an  assignment  oet^een  tne  security 
cxasses  of  information  estaolisned  by  policy  constraints,  and  tne 
protection  domains,  establisnea  by  the  properties  of  tne  mechan¬ 
ism.  2ne  assignment  tecnnique  provides  a  tneoreticai  foundation 
for  assessing  tne  sufficiency  of  an  access  control  mechanism  with 
respect  to  a  well  formed  protection  policy.  Aithougn  this  paper 
presents  preliminary  results  of  research,  tne  proposed  framework 
suggests  u  promising  new  approacn  for  evaluating  tne  protection 


mecnanisms  of  existing  and  proposed  systems , 


A*" '  ;  on  For 

rn.’.&i 

■-  ”1’  vv'.noed 
J . ;  ■*  i.  riant  ion- 


r  1  r ;  but  i  Oil/  _ 

Avuilnbility  Codo3 
(Avail  and/or 
hirt  !  Special 


LQ-i  i. 


□  □ 


jk  ♦«  T  Ru  j  ^  o 1 J 1 0  i. 

Tne  suitaoixity  of  a  protection  mechanism  for  any  given  secu¬ 
rity  policy  is  not  always  apparent.  Inis  paper  presents  a 
tneoretxcal  foundation  for  assessing  the  sufficiency  of  an  access 
controx  mecnanism  as  a  means  of  enforcing  a  non-discret ionary 
security  poxicy.  technique,  termed  assignment,  establishes  a 
rexationsnip  between  tne  imormation  sensitivities  of  the  system 
entities  ^partioneo  accorainb  to  policy  constraints),  ana  domi¬ 
nance  domains  (innerentiy  established  oy  a  protection  mechanism). 
Tne  assignment  technique  provides  a  method  for  mechanism  valida¬ 
tion,  since  the  results  of  the  assignment  can  be  evaluated  to 
establisn  whether  or  not  tne  constraints  of  the  policy  are  met. 

The  assignment  technique  was  developed  as  a  means  of  identi¬ 
fying  the  limitations  of  well-formed  access  control  mechanisms. 
Tne  initial  investigation  examined  tne  feasibility  of  using  the 
i'iUitics  rit:b  mechanism  U3J  as  a  means  of  enforcing  a  hierarchi¬ 
cal  compromise  policy.  Our  basic  national  security  policy  [Oj  is 
a  well  oinown  example.  xt  was  established  oy  assignment  (as  is 
sncwn  in  tnis  paper)  that  tne  Unities  rinb  necnanism,  of  itself, 
cannot  provide  this  security.  on  the  other  hand ,  it  is  snown 
taut  tne  huities  rin0  mechanism  does  enforce  an  important  form  of 
program  integrity  policy.  Tnis  program  integrity  mecnanism  can 
be  used  to  delimit  a  most  privileged  set  of  programs  known  as  the 
security  kernel  [11 j.  The  security  kernex  in  turn  provides  a 
mecnanism  sufficient  to  enforce  utner  security,  inteerity  or 
access  control  policies.  Thus,  witn  the  security  Kernel 

4 


tecunolo^y  9  tne  rin^  iteeaanism  is  sufficient  for  enforcing  co^- 
;-uLer  secaritj  •  by  usin0  assignment ,  we  aave  .oaineu  a  mucn 
oetter  unaerstcnuin^  of  tne  capabilities  ana  limitations  of  a 
rin0  protection  xecaanisc,  and  have  introauced  a  tool  for  the 
assessment  01  other  protection  aecnanisms . 


A .  .  t. 


r>  . , 


In  oraer  to  clearly  present  the  assignment  technique  we  begin 
with  a  discussion  of  tne  principles  of  access  control.  f  n  is  is 
necessary  Lecause  mucn  of  tne  information  published  in  this  area 
appears  to  be  imprecise  or  even  cont rauictory  in  nature.  Gome  of 
tne  terminology  used  in  this  paper  may  also  appear  to  contradict 
other  authors.  These  differences  ana  distinctions  are  inten¬ 
tional  ana  will  oe  discussed  in  greater  detail  in  an  anticipated 
tnesis  l ‘‘rj  by  i-t.  Shirley.  Tnis  paper  merely  addresses  the 
basic  frameworK  which  we  choose  for  our  discussion, 

^att ice  security  Policies 

A  security  policy  is  oasea  upon  external  laws,  rules,  regula¬ 
tions  ana  other  mandates  that  estaolish  what  access  to  informa¬ 
tion  is  to  be  permitted.  choose  as  our  universe  of  discourse 
tne  lattice  security  policies  as  identified  'ey  Walters  [15J  and 
later  also  described  by  leaning  [5j*  These  universally  bounded 
lattice  structures  consist  of  finite,  partially  ordered  sets  of 
access  classes,  each  naving  a  least  upper  ana  greatest  lower 
bound,  Tnis  class  of  policies  encompasses  many  (if  not  ail) 
practical  policies.  Gucn  policies  are  of  primary  interest  to 
national  defense  because  all  non-aiscret ionary  security  policies 
can  oe  represented  as  a  lattice  policy.  To  oe  effective,  such 
policies  must  clearly  establisn  an  access  class  for  ail  system 
entities,  i.e.,  subjects  \tae  active  entities)  and  objects  (the 


passive  entities  tnat  may  be  referenced  by  a  subject),  further- 


*uore»  tut?  coi i Cj  must  icentii^y  aix  permissicie  access  rexat iuns 
Jcu^een  tne  ouCjcctj  ar*u  obuecto  of  various  e^ui  valence:  cla,oSc3 . 
xf  a  ^uiiGj  were  not*  acie  to  meet  tnese  two  requirements,  the 
eni  orcea;ent  oi  tne  policy  couid  not  ce  evaxuateu* 


i.ote  t:iat  we  distinguish  between  processes  and  subjects 


a  i  s  paper.  Tnis 

is 

neeessar  y 

because  of 

the 

ambiguity  that 

>■ x t  resux t  w i o ho u u 

tine 

distinct 

notion  of 

a 

s  u  o  j ec  t  as  a 

Tocess-uomain  pair 

13, 

1  <-  j ,  particularly  when 

w  e 

present  a  for- 

malizeu  definition  of  a  domain. 

nccess  Relations 

nny  specific  policy  will  distinguish  one  or  core  distinct 
access  relations  between  suojects  and  oojects.  These  are  typi¬ 
cally  mirrored  in  tne  "access  mode"  of  tne  corresponding  protec¬ 
tion  mechanism. 

Two  generic  access  modes  are  sufficient  for  a  general  discus¬ 
sion  of  tne  principles  and  policies  discussed  in  this  paper. 
Tnese  are  l7j  "ocserve"  (the  ability  to  observe  information)  ana 
"modify"  itne  anility  to  modify  information).  Other  primitive 
access  mooes  are  generally  just  a  finer  granularity  of  observa¬ 
tion  ana  modification  priviiedges. 

Tne  eniorcement  of  a  policy  is  fundamentally  limited  by  the 
system's  granularity  of  access.  Policies  that  prescribe  distinc¬ 
tions  not  recognioeu  by  the  access  control  mecnanisms  must  be 
enforced  in  an  overly  restrictive  manner  or  i0norea.  for  exam- 


7 


wic,  a  polio j  addressing  a  concatenation  access  relation  cannot 
dc  precisely  enforced  on.  a  system  that  does  not  recognise  some 
1  o r m  ox  append  access  xous  • 

1'uc  granularity  ox  access  control  within  a  system  is  depen¬ 
dent  upon  tne  anility  to  distinguish  attributes  of  subjects  ana 
oc0ects  ana  upon  tne  variety  of  access  modes  available.  Tne 
primitive  access  modes  are  associated  witn  tne  design  of  the  sys¬ 
tem,  inexuain&  tne  protection  mechanisms,  and  designate  the  asso¬ 
ciated  rients  outained  oy  an  access  request* 

nil  access  relation  is  a  tuple  (  subject,  access  mode, 
object;.  2ms  tupxe  signifies  tnat  a  relation  oetween  the  subject 
and  oOject  exist  such  that  tne  subject  is  permitted  to  access  tne 
oo0ect  witn  all  the  privileges  associated  with  tne  access  mode. 
Ine  problem  of  information  security  may  generally  be  expressed  as 
tne  problem  of  permitting  tne  existence  of  only  those  access 
relations  tnat  in  no  way  violate  any  of  the  applicable  systems 
policies . 

mas i c  national  oecuri ty  Policy  Example 

Ine  oasic  .*aticnal  Security  policy  is  a  simple  lattice  pol¬ 
icy.  Ins  ^olicy  defines  entities  as  members  of  one  of  four 
nierarcnical  access  classes  (  l,*.* T  i  , 

;  .  Tne  greatest  lower  bound  is  lu*dLA33Ij?  Ill  and  the 
least  up*,er  bound  is  oEv,i\12.  Eigure  1(h)  represents  this 

lattice  structure. 


3 


,  Ooerve 


i  *.ou 


~  cserve j 


ji.ouify 


xiJ  il.ii  j^inu 


cDserve  \  \ 


t  Modify 


u.i'uunijOii  i.  a!a1>  J  «i  uu/\Jwi  i  . 


i  uuhOO  a  a  S  Si> 


iri^ure  1 

:  ieure  1  u/  snows  tne  information  flow  cnarac  terist  ics  of 
tais  lattice  *oiicy  L^j-  Inis  information  transfer  patn  L  1  o  j  can 
be  analysed  witn  respect  to  oermissiole  access  relations. 


iascQ  on  triis  analysis  of  the  permiss i ole  access  relations 
between  ^subjects  ana  oojects  with)  the  various  access  classes, 

we  derive  an  alternative  illustration  form  taat  is  convenient  for 

0 

our  analysis.  figure  1(C)  illustrates  the  basic  national  secu- 

nty  policy  usina  tnis  form.  *f<ote  tnat  a  none  represents  an 

0 

equivalence  class  of  entities  all  of  whicn  nave  the  sane  access 
class.  A  directed  arc  represents  tile  permissible  access 


relations  from  a  subject  c f  tne  source  equivalence  exams  t^ 
of  tr.e  destination  equivalence  class.  'Transitivity  of 
access  relations  is  not  shown  cut  is  assumed. 

uecali  taut  a  system  is  "secure”  ix  there  are  no  access  rela¬ 
tions  that  violate  an^  applicable  policy*  Tne  Jimple  security 

Jonaition  lIj  states  taat  ii  ooserve  access  is  permitted,  then 

one  access  Cxuss  of  tne  3 abject  is  greater  than  ur  equal  to  the 

access  class  of  tne  ocject.  Tne  "Confinement  Property"  —  his¬ 
torically  known  cy  the  less  descriptive  name  of  *  -  Property  [lj 
—  states  tnat  if  modify  access  is  permitted,  tnen  the  access 
class  of  tne  subject  is  less  than  or  equal  to  tne  access  class  of 
trie  oo0ect.  we  can  see  that  r'igure  KC)  is  derived  directly  from 
tuese  two  properties. 

access  v 0 10 a  1  n 3 

Jo  far,  we  have  concentrated  on  the  properties  of  policies, 
we  now  examine  the  properties  of  the  protection  mechanisms  used 
to  enforce  security  policies.  The  principle  notion  we  use  is 
tnat  of  an  access  domain. 

nil  access  domain  A  ,  is  a  tuple,  (  ,  a^ ,  .  a^,  ...» 

wnere  n  is  the  number  of  primitive  access  modes  in  the  system, 
cj^  ni  a  ^  i  o  one  o  e  t  0^  a  x  i  oo^ecuo,  \  01,  J  ■*  ,  ...,  e  ^  | 

X  *  o  ■“ 

wnicn  a  process  executing  in  domain  may  access  by  access  mode 


] 


i  tr  S  ^  d  'jlu 


an  ^access  moae )-dcmain 


>0  olid  bt 


*  u  .  e  c  w2 


wnicu  a  process  ^XcJvjaLiiiy  in  tnat  domain  nad  the  n^nt  to  access 
a^c  w  r  vii  t.;.  «  o  ■  » i  a  ^  k.  di  t  i  wUxar  ill  Cc  ^  t..*  q  cl  e  • 


/OildlutT  tUS  i.  Oi  iGW  tWO  dOmaitloi 


1  2  ^  vCidsrvd^w)  i  i  ,  .c ,  w  j  ,  *■*  u  cl  i  f  y  \  t*i )  s  { « f  *>  f  —  I  ) 

A  ^  «  •  i  ^ ,  u  t  ^  ,  j  j  ,  I-* :  l  (p  |  j 

due  observe-aomain  of  A ^  v  denotea  as  bAj  )  i-s  objects 


ana  u.  due  tnoa 


ify-domain  .\Ao  is  empty. 


A  set  of  dominance  domains  are  implicitly  established  by  the 
system’s  protection  mecnanisms.  Tne  dominance  domains  are  not 
associated  with  any  particularization  of  processes  ana  objects, 
but  ratner  dominate  all  the  domains  that  may  occur  in  the  sys- 


dominance  domains  may  be  uniquely  labeled  for  convenience, 
in  tne  i.ulties  system,  for  example,  the  dominance  domains  esta- 
bmisneci  by  tne  rinfo  mecnanism  were  known  as  rin^s  ana  were 
ianelea  oy  rin0  numbers.  behreeaer’s  protection  mecnanism  also 
uses  numbers  as  labels  for  dominance  domains  tlaj. 

we  saj  tnat  A^  dominates  (  <&£  )  A^  iff  for  each  a^,  a.- 

S.  axA^j  •  fne  systems  protection  mecnanism  then,  establishes  a 
set  of  dominance  domains  which  we  can  use  for  validation  of  pro¬ 
tection  mecnanisms.  Because  tnese  domains  dominate  all  other 
domains  tnat  may  occur  in  the  system,  if  we  can  show  tnat  our 


* 


wOxicy  liUiud  for  t nese  domains,  we  nave  snown  tnat  it  nolas  for 
t:ic  sy  s  t  em • 

^.n  tnis  ^aper,  *e  cuuose  to  consider  only  protection  aecnan- 
isms  wnicn  estaolisn  a  universally  bounded  lattice  of  dominance 
domains.  Jucn  mecnanisms  represent  an  interesting  suoset  of  pro¬ 
tection  mechanisms  and  provide  simplicity  in  tnis  discussion. 


ine  ftssihnDerit  ieenni^ue 


Assignment  is  tne  establishment  oi  a  relationship  between  two 
entities  suen  that  trie  first  entity  is  "assibnea  to"  the  second 
entity.  iiatnemat icaliy ,  tne  term  assignment  is  not  significant, 
one  could  easily  nave  said  that  entity  1  is  related  to  entity  2. 
Intuitively,  nowever,  assignment  is  associated  with  the  connota¬ 
tion  "to  fix  autnor itatively "  wnicn  precisely  signifies  our 
notion  of  tnis  ^recess. 


Assignment  may  ce  denoted  by  a  graph  from  the  first  entity  to 
tne  second  as  follows: 


Assignment  does  not  alter  eitner  entity.  Rather,  a  relation- 
snip  between  tne  entities  is  established  wnicn  can  be  expressed 


in  the  form  of  a  tuple  as  follows: 


F~ - 

i  A  -  — 


11  is  assignee  to" 

^tsbaraiGt)6  of  tne  means  of  representation,  assignment  is  -ereij 
tne  act  of  associating  an  entity  or  set  of  entities  uitn  some 
otner  entity  or  set  of  entities. 

Tae  essence  of  tne  assignment  technique  is  relatively  simple, 
first  of  all,  consider  tne  nature  of  a  lattice  security  policy. 
Jucn  a  policy  partitions  the  objects  of  a  system  into  a  lattice 
of  equivalence  classes,  Zach  equivalence  class  can  ue  t’nou^nt  of 
as  an  entity  subject  to  assignment. 

inen  consiaer  a  mecnanism,  which  estaclishes  a  lattice  of 
dominance  domains.  Zach  of  these  domains  can  also  be  thought  of 
as  an  entity  subject  to  assignment. 

Zince  an  assignment  can  be  established  between  any  two  enti¬ 
ties,  we  can  ma^e  an  assignment  between  the  equivalence  classes 
sstaoxisneu  oy  a  lattice  security  policy  and  the  dominance 
domains  tnat  are  estaoiisnea  by  some  protection  mechanism.  Vie 
ucu  validate  tnat  ^for  tnis  assignment)  tne  mecnanism  is  suffi¬ 
cient  to  support  that  policy.  This  determination  is  made  by  exa¬ 
mining  tne  set  of  access  relations  tnat  tne  me c nan ism  permits, 
and  testing  for  possiole  violations  of  the  policy. 

.<e  are  now  ready  to  illustrate  now  we  may  use  this  assignment 
teennique  to  evaluate  protection  mechanisms  used  in  the  design  of 
secure  computer  systems. 


Id 


irr 


/  J  AUu  lUii  x 


*ue  useiuiticss  oi  tne  assignment  iGCfifiiJuy  ap^iarj  to  ce 
rutner  far  reacning  in  oco^e.  Researcn  currently  underway  is 
invest igatin0  a  number  of  possibilities.  Tnis  paper  addresses 
only  a  few  of  tne  possible  applications.  The  authors  whcieheart- 
ealy  invite  tne  reaaer  to  suggest  areas  of  further  researcn. 
additionally,  comments,  opinions,  ana  researcn  findings  re-ateu 
to  tne  assignment  technique  are  solicited. 

Mult ics  ning  Mechanism  Assignments 

Tne  question  of  tne  sufficiency  of  tne  Muities  Ring  .-.ecnanisa 
for  enforcement  of  tne  basic  national  becurity  policy  was  the 
initial  problem  that  prompted  the  current  researcn  effort  ana  led 
to  tne  formulation  of  tne  assignment  tecnni^ue.  it  is  appropri¬ 
ate  tnen,  tnat  tnis  paper  present  tais  analysis  as  an  introduc¬ 
tory  application  of  simple  assignment. 

Compromise  Policy .  ^s  stated  previously  in  tnis  paper,  the 
casic  .«ational  .Security  policy  is  a  simple  lattice  security  pol¬ 
icy.  Figure  KC)  illustrates  this  policy. 

Tne  dominance  domains  of  tne  Mult ics  Ring  mechanism  are  most 
frequently  snown  as  concentric  rin^s  numbered  in  increasing 
integer  order  from  tne  innermost  ring  or  the  kernel.  The  kernel 
i.s  generally  assigned  ring  number  o .  For  simplicity,  we  only 
snow  a  system  with  rings  C  thru  3  in  tnis  analysis.  Otner  rin0 
numcers  will  produce  similar  results. 


14 


process  wni  on  io  executing  in  rinfc  numoer  1  would  need  to  be 
cleared  I  or  at  least  information  according  to  our  assign¬ 

ment  s  c  n  e  m  e  • 


~ae  .-rustics 

Ring  ..ecnanisiL 

aiscr imi nates  among 

streets  c 

means  of  a  rin 

o  bracket. 

Ine 

rinb  bracket  is  a  ;  - 

tuple  ii  R1 

n*,  ,  iij  )  wnere  a  1 

,  R<_  ana  *o 

are 

rinfc  numoers  ana  al  <_ 

Si  <.  R. 

nceess  to  ocjects  is  restricted  such  that  tne  current  rin^  of 
execution  must  oe  less  tnan  or  equal  to  ac  to  ooserve  information 
ana  less  than  or  equal  to  HI  to  modify  information.  Figure  3 
snows  cnar acteris t ics  of  tne  ring  brackets  both  in  terms  of  the 
access  mooes  usea  in  tnis  paper  and  the  access  modes  used  in  .iul- 
t ics . 


execute _ 

f  thing  u _  ^uli  \±l 

|  write  ^ioaify  )  _ 

Aeaa  ^uoserve) 

Figure  3 

iuiioiaer  tnen  an  object  that  is  classified  as  oZCRZ'l*  3ucn 
an  object  mu3t  be  assigned  a  ring  bracket  suca  that  it  may  be 
ocserveu  by  processes  in  ring  v  and  ring  1  only.  R«.  must  there¬ 
fore  oe  1  .  «  proolem  now  becomes  apparent.  t«o  matter  wnat  value 

we  cnoose  for  HI,  we  are  faced  witn  a  contradiction.  If  HI  is  J 
or  1  then  2oP  processes  may  modify  o^CRZl  files  violating 

tne  confinement  Property.  If  HI  is  greater  tlwn  1,  tne  restric¬ 
tions  of  the  rinfe  mechanism  would  be  violated  (viz.,  n 1  >  He), 
therefore f  we  can  conclude  tnat  tnis  assignment  is  not  accept- 


1  o 


aoie 


uwnsiaer  now  the  only  ©trier  potential  assignment  scueme  wnere 
ue  greatest  io*er  o  cun  cl  ox  cur  t  ics  is  assigned  to  r  in^.  * 
r*e  as 3 i £>nm e n t  produced  is  suown  in  i*  impure  4-. 


we  now  attempt  to  assign  rine  brackets  to  an  object  classi¬ 
fied  Oi-wnx,A.  A  problem  occurs  immediately.  We  want  processes 
executing  in  rin^  ^  to  be  able  to  observe  our  o^Chhl  objects,  but 
then  u  process  in  rin^  p f  that  is  u^oLASoIr ihb ,  will  also  be  able 


o  observe  our  Object 


Ine  Jimple  Security  Condition 


cannot 


% 


tftiiurccu  w  i t n  tin  is  assignment  so  uric;  3Ld5i^,ni,sn^  sene  me  is  not 
2  ca.3  i  Uie  . 

oince  neitner  01  tnese  assignments  are  acceptable,  ani  shift- 
m0  tue  riu0  a33 ibtient3  numerically  would  j ield  similar  results, 
we  can  see  tnat  no  assignment  will  be  acceptable.  Inerexore,  the 
nuitics  Rin^  iiecnanism  is  not  sufficient  tc  enforce  the  basic 
national  security  policy  for  compromise. 

Tne  basic  national  Integrity  policy  [1 j  is  tne  dual  of  the 
basic  national  security  policy.  fhereas  the  security  policy  is 
concerned  with  the  unauthorized  observation  of  information  or 
compromise,  the  integrity  policy  is  concerned  with  the  unauthor¬ 
ized  modification  of  information  or  subversion.  Tne  assignment 
teennique  snows  us  tnat  tne  hultics  Ring  Kecnanisn  is  not  suffi¬ 
cient  to  enforce  tnis  dual  policy  either • 

1 !ne  nult iC3  hing  mechanism  is  not  sufficient  to  enforce  the 
basic  national  security  policy  nor  the  basic  .lational  Integrity 
policy.  uOwever,  a  Muitics  Security  Kernel  has  been  designer 
Ll>j  that  is  sufficient  to  support  coth  of  these  policies.  fills 
may  seem  to  be  a  contradiction,  but  it  is  not.  Tne  confusion  is 
dissipated  wnen  one  asxs  the  question,  "..aat  form  of  policy  dees 
tne  uultic3  Rin^  necaanisa  support?’* 

Program  Integrity  Policy .  The  notion  of  a  program  integrity 
policy  stems  from  tne  desire  to  pronioit  modification  of  execut¬ 
able  programs  oy  less  trustworthy  subjects.  In  tne  general  sense, 
we  wish  to  ensure  that  our  more  sensitive  programs  are 


o 


Xam^c  rod .  wnxiae  a  strict  inte0ri  ty  policy,  however,  prc- 
0fai  inie^riij  id  not  conc^rnea  vita  tat  issue  ox’  general  obser- 
Vdo ion  of  information.  kataer,  program  integrity  seals  only  with 
execution  ana  xoa ii icat ion .  In  this  case,  we  refine  tae  access 
-coc  "observe"  to  tnat  of  " reua/ execute"  access  mcae,  taxen  in 
tne  sense  ox  tne  general  vernacular. 

n  program  integrity  policy  must  consider  two  issues.  first, 
eacn  entity  witnin  tne  system  must  nave  a  program  integrity 
access  class,  designated  ?I,  assigned  to  it.  oecona,  the  oraer- 
in^  oi  program  integrity  access  classes  must  be  fixed  according 
so  tne  constraints  of  tne  policy  maker.  ^nce  tnese  issues  are 
rcdoived,  we  may  guarantee  tnat  no  direct  threat  is  possible  by 
enforcement  of  tne  following  condition: 

w imp le  Iro^ram  ante^r i ty  Jena  it  ion  :  If  a  subject  has 
"modify"  access  to  an  object,  tnen  the  program  integrity  of 
tne  suu0ect  is  greater  than  or  eoual  to  tne  program 
integrity  of  tne  object. 

oecause  program  integrity  policies  are  concerned  with  tne 
execution  issue,  indirect  modification  of  information  is  not 
strictly  pronicitea.  Inis  provides  a  certain  aegree  cf  flexibil¬ 
ity  cut  also  produces  a  certain  amount  of  risx  l^j*  confinement 
of  execution  neips  to  reduce  the  risk  of  suen  an  indirect  threat. 
Inc  indirect  tnreat  occurs  when  a  subject  executes  a  program  tnat 
nas  ueen  modified  by  another  less  trustwortny  subject.  We  can 
furtner  see  tne  usefulness  of  confinement  in  a  program  integrity 
puxicy  by  noting  tnat  this  property  supports  tne  use  of  library 
function.  In  a  manner  directly  analogous  to  that  for  the 


-*at ional  integrity  policy  Lc.Jf  .*e  define  tn«  confinement  property 
tor  program  inte^ritj  as  follows  : 

£ roferam  Integrity  Uonf inexent  Property  :  Xi  a  subject  has 
execute  access  to  an  oo^ect  t:icn  tne  program  integrity  of 
tne  ooject  is  greater  tnan  or  equal  to  tne  program  integrity 
of  tne  subject. 

Xue  onaraetc r ist ics  of  an  example  program  integrity  policy  in 
terms  of  access  modes  is  snown  in  Figure  5«  lucn  a  policy  is 
inherently  a  lattice  policy. 


Figure  o 

consider  now  a  specific  program  integrity  policy.  According 
to  tnis  policy,  entities  are  partitioned  into  one  of  four  access 
classes  designated  as  ^ser,  Supervisor,  Utility  or  Aernei.  Tne 
sensitivity  of  these  access  classes  is  specified  as  :  Aernei  > 
Ju^ervisor  >  utility  >  user.  *e  then  consiaer  an  assignment  to  a 
Auitica  rin^  structure  as  shown  in  Figure  o. 


2o 


ui  inva.*.iu  -iccGoo  relation  « i tn  respect  to  tin  is  policy* 

:cr  t  m  s  us  s  i  giime  n  t  f  violations  cdr  ^  possible*  ^nereiore,  we 
ntive  Shown  indt  tne  .iultico  uecnanioi  is  smiicient  to  sup¬ 

port  tuis  ? rocrai  integrity  policy* 


-.:11s  issue  oi  w n  a  t  lorn  oi  protection  tne  ^uit ics  Ain^ 
wccuauiSGi  provides,  appears  to  be  precisely  the  issue  that  Wall' , 
Jones  and  trie  other  designers  ox  the  "RYDRA"  system  were  attempt¬ 
ing,  to  ^naerstana  j.  1  b  j  .  They  introduce  their  discussion  cy  first 
s  ay ing  1 


"Protection  is,  in  cur  view,  a  mechanism*"  Mbj 


Taeir  discussion  then  proceeds  to  make  the  following  general 
statement  relative  to  tne  liultics  rin~s: 


^ar  rejection  01  hierarchical  system  structures  and 
especially  ones  which  employ  a  single  hierarcnical  relation 
for  all  aspects  of  system  interaction,  is  also,  in  part,  a 
consequence  of  the  distinction  oetween  protection  ana  secu¬ 
rity*  failure  to  distinguis a  these  issues  coupled  with  a 
strict  hierarcnical  structure  xeaas  inevitably  to  a  succes¬ 
sion  of  increasingly  privileged  system  components,  and  ulti¬ 
mately  to  a  "most  privileged"  one,  wnich  gain  tneir 
privilege  exclusively  by  virtue  of  their  position  in  the 
nierarcny.  Sucn  structures  are  innerently  wrong  .*•"  jjej 


**aa  the  assignment  technique  been  available  to  tne  authors  of 
tne  above  statement,  they  would  nave  been  afforded  a  means  of 


I 


meet  tne  oaoic  kiuticnax  ^nte^ri ty  policy*  — xaninin^.  i  impure  i  and 
*  i^aTw  s  ,  tne  dual  nature  Oi.  t  n  e  s  e  tw  o  policies  x  s  apparent. 


_ observe _ 

|  £^IV^  ’>  1  f  *  wV**J 

-oai fy 

rlfc-ure  o 

-  0  be  ,  tnese  b  T 1  d  X  S'a^^Oo  t  i  GO  DOt  COmple  texy  C  U  3  r  a  C  — 

oerise  a  practical  protection  mecnanisEG.  however,  it  appears 
tnat  rinto  me chan isms  are  aaaptaole  for  the  enforcement  of  various 
simple  iiierarcnicai  policies. 


Capability  ;,ecnani sms 


Considerable  effort  is  currently  underway  tc  provide  Provably 
secure  operating  Cystems  based  upon  the  capability  mechanism 
l  o  ,  1  o  j  .  x  t  is  import  an  t  to  exam  me  w  na  t  ioiu  ox  protection  c  apa~ 
cixities  actually  provide. 

Cawaoixity  mecnanisms  primarily  establish  two  dominance 
domains  which  are  enforced  by  the  system  hardware.  ^ne  domain 
consists  of  capabilities,  and  the  other  is  objects  that  are  not 
ca^asiii ties  sucn  as  3 e £_me n t s  an g  directories.  process  t ax e s 
no  note  of  tnese  dominance  domains,  however,  because  ail 
*>ru cesses  nave  access  to  capabilities  as  well  as  otner  types  of 
objects .  oo  witn  respect  to  a  process,  tne  capability  mec nanism* 
provides  no  inherent  partitioning  of  tile  system  entities  at  ail. 
xn  fact,  in  trying  to  determine  tne  structure  of  dominance 


domains 


or  non-capaui li ty  objects. 


we  encounter  a  veritable 


p 


Assignment  has  been  snown  to  be  a  useful  technique  in 
evaluating  the  sufficiency  of  a  mechanism  to  enforce  a  security 
policy.  In is  technique  is  cased  upon  a  formalized  notion  of 
domains  ana  tne  lattice  nature  of  security  policies. 

Inis  metnod  proviaes  considerable  insight  into  the  nature  of 
access  control.  Character izing  a  subject  as  a  process-domain 
pair,  we  observe  that  non-discret ionary  protection  is  dependent 
only  upon  tne  dominance  domains  estaolisned  by  the  systems 
mechanisms  ana  tne  access  relations  between  these  domains.  The 
nature  of  the  computation  is  irrelevant.  furthermore,  one  can 
ooserve  that  any  protection  policy  can  only  be  implemented  on  a 
computer  system  which  nas  some  form  of  system  isolation  prohibit¬ 
ing  the  users  from  altering  the  system’s  isolation  method. 

This  paper  presents  an  introduction  to  assignment,  and 
several  simple  examples  have  been  investigated.  Considerable 
researcn  effort  is  still  necessary.  Of  particular  interest  is 
tne  use  of  the  assignment  technique  as  a  guide  in  the  construc¬ 
tion  of  new  mechanisms  to  meet  classes  of  policies  of  broad 
interest.  Assignment  researcn  has  already  provided  considerable 
insight  to  tne  nature  of  security  enforcement,  providing  a  means 
of  formally  presenting  tne  characteristics  of  mecaanisns  and  pol¬ 
icies.  Mechanisms  can  be  categorized  by  the  type  of  enforcement 


26 


u  • 


1 


W 


L 1  j 


JCxii  d * 

unit  lea 
porut ion 


S  *  CLlTIQ  dUlUaUlU,  d  • 


* 


Zxposi t ion  ana  ^ulvicg 

ii  e  p  O  I*  t  ^-*d  d  —  .*.  u*  I  y  "  y  u  li  ,  r^d 


Jecure  Coniatur  System: 
xaplementat ion ,  *.IThs  -or- 
— t\\j  cl'j  ^'uo  / ,  ;-iarcn  1  >  7  o  * 


L-j  L'iud,  u.,  Integrity  Consiaerat ioru?  for  Secure  Computer 
sy 3 t eus  ,  ..iiu-  uorporat  iun  .kcpor 1 i  o*>'  i  <-  ^ 

Ow-t j  ,  April  1  ^77  • 

LJ/j  denn  ing,  u.  1.,  Secure  information  Flow  in  Computer  Systems , 
fn.  1.  Cuesis,  furaue  university,  nay  1y75* 

L-rj  denning,  d*  s.,  "A  Notice  Model  of  ^scure  Information 
flow’1 ,  Communications  of  the  ACM ,  Vol.  1  j,  p.  Oc  -  <i43  *  May 
1  37o . 


ioj  department  of  defense,  DSD  5<bCo.1u,  u'^j  information  Securityr 
Pro0ram  requirements . 

t  o  j  reirtag,  A  •  <j  •  ana  Neuman,  F.  u .  ,  "Trie  foundations  of  a 
rrovabiy  Secure  Operating  System  VPLCS)”,  AfiPS  National 
computer  Conference  Conference,  1379*  P*  329  -  334* 

l7  j  u  rohn ,  A .  J  .  ,  A  Hod  el  of  a  Protected  Data  Management  system, 
Canauian  Commercial  Corporation  report,  L3D-T n-7o-2b9 ,  (A~- 
rtdOt  ^>o) ,  June  197b,  p.  ^3. 

L jj  uones,  A*  A.,  ’’Protection  Mechanism  models:  Tneir  useful¬ 
ness" ,  in  foundations  of  Cecur e  Computat ions ,  edited  oy  A. 
A.  Deaiiio  ana  otners,  p.  257  -  254*  *. ew  iork:  academic 
Press,  1 57b. 

l'Jj  ^ampson,  b .  W.,  "Protection" ,  Proceedings  fifth  Annual 

Conference  on  Information  Sciences  ana  Systems,  Princeton 
university,  p.  437  -  ^43 ,  Marcn  1971. 

L  1u  j  Neumann,  P.  u.,  Robinson,  d . ,  Levitt,  A*  A.,  A  Provably 
secure  operating  Cystem,  Stanford  uesearen  Institute  report, 

^  rtJ“ri\jOC  OVjl  j  ,  y  U!l€  1  57  0  * 


L 1 1  j  Ccnell,  A.  R.  ,  "security  kernels:  rv  Methodical  Design  of 
system  security,"  uSL  technical  papers  (Spring  Conference, 
\  j7 j  )  t  1’iarcn  1^79,  p.  ^4 o-Sou. 


L 1 ^  j  Cchroeaer,  ii.  J.,  Cooperation  of  Mutually  suspicious  Subsys¬ 
tems  in  a  Computer  utility^,  As-7ps  1737?  h .  D.  Thesis,  aas- 
saenusetts  Institute  of  Technology,  September  1972* 

U3j  Schroeder,  r*.  D .  ,  Clark,  D.  D  •  ,  and  Saltzer,  J.  ii.,  "The 
Multica  kernel  Design  Project",  Proceedings  of  Sixth  nCM 
symposium  on  operating  Systems  Principles,  .isvember  1977,  p. 
43-io • 


2o 


►  Jc 


* _ L 


Uj  jiiirxcj  ,  ^  •  o.,  ,»oa-j  iscre  t  denary  ^ecari:y  Yalidat icn 

s  o  i  ^nme  n  t  ,  ^asters  i.  ii^s  i  3  ^  ^civiii  rost^radaate  *^cnoOj», 
p i*c  lut u  x oil  * 

1  j  j  .I  alter,  a.,  a .  and  o  tilers,  Primitive  /oaels  :'cr  J  empu 
^ecuri ty ,  dase  ucSutrn  Reserve  University  .fcerert, 
i  •+“ 1  *  i  *  v+^i)»  °  an  uary  i  y  t  *t  • 

iuj  ..uii'  ft.  ana  ^tners,  ^y d r a :  Tne  dirnel  oi  a  /.alt iprccessor 
^rxtinf:  system,  Jurne0ie-x.ellon  university  -deport,  A1C 

4 —  1  w  i  >  |  >  1  *t  /  )  y  uIlS  1  y  (  jr  ,  p.  1^. 


iu 

' 


^eiense  Aecnrucai  ^mormation  center 

u^cron  Station 

n-dxariUir m ,  .  i  r  0  i  n  i  a  c.  y  1  t 

Library,  wOae  u 

..aval  Post  urauuate  school 

^onterey,  California  53J4U 

Office  of  research  Administration 

uOdtf  O  1 

..aval  Post  graduate  ocnool 
i-ionterey,  California  55^40 

department  Chairman,  Code  52 
department  of  computer  Science 


t  j  t  i  e  s 


.♦aval  Postgraduate  ccnool 
wontery,  California  5532u 

] 

CC^  ^o^er  R.  Scnell,  Coue  52wj 
department  uf  Computer  Science 
..aval  Postgraduate  School 
noatery,  California  539*+c 

10 

i 

d*y  ie  t\  •  uox,  u  r .  ,  code  >  ^  c  1 
department  of  computer  Science 
..aval  Postgraduate  ochoci 
uontery,  California  y3Cwc 

■+ 

i 

i 

j 

1 

Commandant,  '  J .  3.  Coast  ^uara  vC-HS) 

<_  1  cc  2nd  S  t .  3  •  w  • 

’nasnington,  d,C.  2uyyu 

j 

Commandant,  C.  S.  Coast  Ouara  (c-PCS) 
clew  ^na  St .  3  .  . 

.i asnington ,  O.C.  2uo^u 

2 

j 

0.  ijawrence  C.  Shirley 

ot'.C  OCX  <£.Oo1 

.*avai  Postgraduate  Ccnool 
hontery,  California  yy.Hu 

1u.  James  P.  Anderson 
Sox  h-2 

tort  Washineton,  ?a.  15052 


1o 


1 


30 


A 


i 


i  i  •  -  e  r  r  y  ~  •  nrnolu 

4 ~ j j y  casino  c  1  o 1 j. t 1 4 

ite 

i  .  w  .  OCX  uUdIT 
~un  cie^o,  a •  jolou 


1  -  .  C  .  u  .  freeman 

u wiu^u  u <« r  uoit^nc^is  v o r p  • 

<,est  oroaa  Ctr eel 
;axis  -nurcn,  Virginia  ^0c<*o 
rvttn:  ^n^ria  *iues 

I  y  •  w r a c e  uda^tdiii)  Pres. 

-xeeutect 

1  1  co  u0uon  Ctreet,  Suite  o: 
oar*  irancioco,  Ca .  941  of 

1  *r  •  c  an i e  x  c  »  i\  G  L  xy  e  r 

4ae  aerospace  Corporation 
f .  c .  oox  jt-yol 

^jOS  rvn^jlqJS,  v,a  . 

It-  i.arvin  Ccnaefer 

oyateu*  ceveiopiLent  corporation 
<-;,cc  coioraao  nveriue 

cU*i  Da  .'ion i oa f  *^a#  oo 

1b*  C oan  ? .  Scnill 

code  oOol  concept  Cevelopixent  Branch 
x  s  uept 

.•aval  ocean  Cystens  Center 
oan  j i qO  i  c a •  9 u  1  p u 

1  V  *  Peter  C .  Tasxer 

i'ne  i‘*itre  Corporation 

P  •  c  •  X  G  X  t-OO  * .  *«.  /x  ^ 

xeai ora ,  •  cl  / 

1  o .  nein  Burn 

California  ctate  university,  ..ortnriage 
uepartment  ox  Computer  Ccience 
lalll  4«oruhOxf  Street 
.•or tnr  iage  ,  Ca.  9133^' 

1  ^  *  iky  le  ~  •  rthite 
P.  J.  Box  Ion 
Vandenourfo  Af  B ,  Ca.  93*o7 

uo .  «onn  ^ooawura 

Cne  tiitre  Corporation 

P .  O .  cQX  COG 

oeaxora,  iias3.  C 1  7>c 


1 


1 


1 


1 


1 


1 


1 


31 


i 


•  uataryn  aeni&er,  Ooae  7? 
.♦aval  aeocarcn  ^ao 

•<  c^o  n  i  i  ton,  •j*  uL\j  j  i  j 


Joel  Trimole,  Coae 
offic ti  of  ^aval  aesearcn 
oou  *i  o  r  t  n  ^aincy 
r  .a.  i  o  o n ,  '/a*  l. t—  Cm  1  i 


Chief  of  ^avai  hesearch 
r\T x  i  n  q  t  o  n ,  *  a  •  dc.  / 


•  Carx  xunawenr 
C  o  a  e  1'jdc. 

..avax  research  ^aooratory 
Casuin^tori,  ^ .  0.  2oB7i? 

O*  Steven  3.  xipner 

xi^itai  x.^uipment  ^orp. 

Au  j—c.  j  JJH  1 

Wc  *iain  otreet 
;iaj  nara,  waas .  01 


;2 


